Shortcut virus - location: cmd (C:\Windows\System32) ????

Hello,

I would appreciate if TwinHeaded Eagle lend me a hand also just like you did with RunaLlena’s problem. I already followed the thread but not until after I generated a log as addition.txt. An instruction to open the notepad and copy/paste some texts on the thread and a note “NOTICE: This script is written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system.”, ceases me to go further because of that notice. Please help me solve my problem also.

Thanks!

Will appreciate also if anybody could help me with this problem.

Hi, I will be working on your Malware issues. :wink:

At the very fist beginning we’ll run system diagnostics with this tool. That will allow us to quickly ascertain from where malware is running …
PS: Do NOT use USB’s devices while cleaning is in progress.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thanks for being helpful. Unfortunately, I have no other way to reply here without using my USB Plug-it modem. Will it still be ok? Herewith are the logs generated for your reference.

Hi jognt76, Yes, that’s Ok. :wink:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

According to the logs, you’ve run a GMER. Please post here the GMER logfile located on your Desktop:


First what you need to do is to uninstall and remove the PUP software:

Start > Control Panel > Programs and Features, uninstall the following:

Movies Toolbar for Chrome
Movies Toolbar for Firefox

Then we shall tell FRST to target the malware and some PUP entries if they remain after the uninstall process. It is necessary to set up the Google Chrome to google, Ask should be removed from your search scope.
Anti-VBS/VBE is tool for additional check. At the last, MCShield is tool to scan all removable (USB) drives and if malware is there (naturally this malware attempts to copy it’s files to each attempting to expand) MCS shall clean that.


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start (Microsoft Corporation) C:\Windows\System32\wscript.exe C:\Users\SUPREM~1\AppData\Local\Temp\*.vbs C:\Users\Supreme Court\AppData\Local\Temp\dc_jcclz.dll C:\Users\Supreme Court\AppData\Local\Temp\fp_pl_pfs_installer.exe C:\Users\Supreme Court\AppData\Local\Temp\install_flashplayer11x32ax_gtbp_chra_aih.exe C:\Users\Supreme Court\AppData\Local\Temp\Quarantine.exe C:\Users\Supreme Court\AppData\Local\Temp\Uninst.exe C:\Users\Supreme Court\AppData\Local\Temp\{319752EC-087C-4593-A006-17A8360BFCCD}-27.0.1453.94_26.0.1410.64_chrome_updater.exe C:\Users\Supreme Court\AppData\Local\Temp\{3F86FC32-2D79-4B62-B3C8-C9AFEB57A33F}-31.0.1650.57_30.0.1599.101_chrome_updater.exe C:\Users\Supreme Court\AppData\Local\Temp\{9A6CB044-A7F3-48D3-B148-6C1A005125C6}-32.0.1700.76_31.0.1650.63_chrome_updater.exe C:\Users\Supreme Court\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs C:\Users\Supreme Court\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaabcbmongicmdegkmmfgdickgnnob C:\Users\Supreme Court\AppData\Local\ilividmoviestoolbarha HKU\S-1-5-21-2458930710-739713664-1444440201-1000\...\Run: [jmwycewqcr] - wscript.exe //B "C:\Users\SUPREM~1\AppData\Local\Temp\jmwycewqcr..vbs" <===== ATTENTION Startup: C:\Users\Supreme Court\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmwycewqcr..vbs () CHR Extension: (Movies Toolbar) - C:\Users\Supreme Court\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaabcbmongicmdegkmmfgdickgnnob [2013-12-11] CHR HKLM\...\Chrome\Extension: [aaaaabcbmongicmdegkmmfgdickgnnob] - C:\Users\Supreme Court\AppData\Local\ilividmoviestoolbarha\GC\toolbar.crx [2013-11-05] IFEO\bpsvc.exe: [Debugger] tasklist.exe IFEO\browsersafeguard.exe: [Debugger] tasklist.exe IFEO\dprotectsvc.exe: [Debugger] tasklist.exe IFEO\protectedsearch.exe: [Debugger] tasklist.exe IFEO\searchprotection.exe: [Debugger] tasklist.exe IFEO\searchprotector.exe: [Debugger] tasklist.exe IFEO\snapdo.exe: [Debugger] tasklist.exe IFEO\stinst32.exe: [Debugger] tasklist.exe IFEO\stinst64.exe: [Debugger] tasklist.exe IFEO\utiljumpflip.exe: [Debugger] tasklist.exe AlternateDataStreams: C:\Windows:nlsPreferences CMD: ipconfig /flushdns CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT: End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


Set Google Chrome home URL and search scope back to google


Follow this instruction and set the Chrome URL and Search scope to google.com
https://support.google.com/chrome/answer/95314?hl=en


Anti-VBS/VBE Scan


Please download Anti-VBSVBEx86.exe on your Desktop

[*]Double click to run the tool and wait until it finishes.
[*]It will make a log named Anti-VBSVBE.txt. Please attach it to your reply.


MCShield Scan


Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Hello again Magna86. :slight_smile:

Your instructions were followed but not until I have to download anti VBE/VBS scan and MCShield scan wherein, Trendmicro blocks its URL. Downloading is unsuccessful. Still, logs generated for the first two instructions are attached. Hope to still hear from you.

Thanks!

It is a known issue, you have to turn off TrendMicro so you can download and run them

Trendmicro has people employees with frivolous behavior …

MCShield officijal site has been repeatedly reported as FP to them (by the second author of the program) but they just do not want to make the effort (there are paid for that) and check the site and setup.
Both MCShield has digital signed, site doesn’t have any advertisement or banner that could trigger TM so …
You can ignore these TM’s (I dare I say) huge stupid detection. Who knows how many more developers in the world has a problem with them …

=> Disable TM real time protection (or better yet, uninstall TM and install avast! which is free) and do the other steps.
Note: If you attach the infected USB to clean host computer, re-infection will occur and the cleaning was in vain. MCShield is a crucial step to clean this script-worms

Damn San! Yeah, Trend Micro (I’m not here saying they suck but…) Avast! is much better. I find it difficult to get infected. TM might be the same way, [b]but has way to many FP’s on very well known products such as Minecraft.[/b]

You’d think that after 14.5 million people buy and download minecraft, they’d get off the A**es and fix FP’s.